Shibboleth Developers

["Scott Cantor" <>]

> I see a value of self-publishing metadata, even if it has to be signed
> by the federations in whom a SP participates.
> 
> With self-publishing instead of central management there would not be
> the need to have a separate cron job to regularly update the signed
> federation metadata file at each IdP (or vice versa for the SPs) in
> order to guarantee proper interworking.

I see no connection between these ideas. Self-publishing doesn't get the
metadata to the IdP or the SP, so a cron job is still required. Cron jobs
are replaced by dynamic lookup, but dynamic lookup is separate from who
publishes the file, it just determines where the file might be.

> If a mechanism like 'modified-since' in http would be used, it would not
> be much overhead to check for updated metadata on the fly, especially
> when adding a cache with TTL like in DNS.

You can do this now, it's just orthogonal. The bottom line to me is that if
you have to submit metadata for signing, the signing entity may as well
publish it.

The self-publishing model seems to be geared toward using TLS certs to
protect the metadata and somehow base trust in the metadata on that.

-- Scott